US5745701AExpiredUtility

Security protected system for interconnection of local networks via a public transmission network

69
Assignee: FRANCE TELECOMPriority: Feb 14, 1994Filed: Feb 13, 1995Granted: Apr 28, 1998
Est. expiryFeb 14, 2014(expired)· nominal 20-yr term from priority
H04Q 3/62
69
PatentIndex Score
45
Cited by
15
References
18
Claims

Abstract

A system for interconneting local networks via a public transmission network, in which equipment items of the microcomputer type, connected to a local network A, are capable of being connected to the public network by a router X in order to communicate with one or more equipment items of the microcomputer type connected to at least one other local network B, which are capable of being linked to the public network by a router Y. The system includes security protection of the establishment of the communications between the local networks over the public network, implementing a certificate exchange mechanism and the software procedures for active authentication, of the "challenge-response" type being placed in the routers.

Claims

exact text as granted — not AI-modified
We claim: 
     
       1. A system for interconnecting a plurality of local networks via a public transmission network, in which a first plurality of stations, connected to a first local network, are capable of being connected to the public network by a first router in order to communicate with one or more of a second plurality of stations connected to a second local network, the second plurality of stations being capable of being linked to the public network by a second router, and the first and second local networks being included among the plurality of local networks, the system comprising a first security device which protects the establishment of the communications between the first and second local networks over the public network, the first security device implementing an authentication certificate exchange mechanism, and a second security device which protects the establishment of the communications between the first and second local networks over the public network the second security device implementing the authentication certificate exchange mechanism in cooperation with the first security device; and   wherein the first and second security devices are respectively placed in the first and second routers.   
     
     
       2. A network interconnection system according to claim 1, wherein the first router includes control and processing means, means for connection to the first local network and means for connection to the public network, and wherein the security protection device includes processing means,   means for connecting the control and processing means of the first router to the bus,   program and data storage means, the storage means further including a certificate table making it possible to verify, upon each establishment of a communication and sending of the certificate, that the information corresponding to the certificate corresponds to an authorized, indexed station,   the procedures for active authentication of the calling station.     
     
     
       3. A network interconnection system according to claim 2, wherein each certificate of the table corresponds to a signed data item indicating a local network address, a public network address, and the type of station to which the certificate corresponds. 
     
     
       4. A network interconnection system according to claim 1, wherein each certificate is signed using a public-key signature algorithm. 
     
     
       5. A network interconnection system according to claim 1, wherein the first router performs a function of certification authority with respect to other routers of the remaining plurality of protected local networks and, to do that, generates a public key-secret key pair allowing it, by means of a signature algorithm, installed in its program memory, to obtain the certificate table to be loaded into the data storage means of the other routers. 
     
     
       6. A network interconnection system according to claim 1, wherein each router includes, in its program memory, a signature verification--algorithm and the public key, so as to verify the validity of the certificate for each incoming call. 
     
     
       7. A method of interconnecting a plurality of protected local networks over a public network, the plurality of protected local networks forming a closed subscriber group, the method comprising the steps of connecting the plurality of protected local networks to the public network, the plurality of protected local networks each including a router and a plurality of stations, and the connecting step being performed by each respective router;   providing network-level protection for each of the plurality of protected local networks, the protection being against unauthorized stations which are external to the closed subscriber group, the protection being network-level protection in that it is provided by each respective router to substantially all of the stations the respective router connects to the public network, the providing step including the step of implementing an authentication certificate exchange mechanism substantially whenever any first station of one of the plurality protected of local networks attempts to initiate a connection with any second station of a different one of the plurality of local networks, the implementing step including the steps of requiring a first router having a first security device to present a certificate on behalf of the first station in order to ensure that the first station is included in the closed subscriber group, the first router being the router which connects the first station to the public network, the requiring step being performed by a second security device of a second router, and the second router being the router which connects the second station to the public network,   generating the certificate, the generating step being performed by the first security device,   authenticating the certificate, the authenticating step being performed by the second security device, and   in response to the authenticating step, permitting the first station to establish a connection with the second station, the permitting step being performed by the second security device; and     wherein an unauthorized station is unable to gain access to stations of the closed subscriber group because there is not a router which presents an acceptable certificate on behalf of the unauthorized station.   
     
     
       8. A method according to claim 7, wherein the generating step further comprises the step of accessing a certificate table, the certificate table containing certificates for substantially all of the stations which the first router connects to the public network, the certificates being based on information specific to each individual station. 
     
     
       9. A method according to claim 8, wherein each certificate of the table corresponds to a signed data item indicating a local network address, a public network address, and the type of station to which the certificate corresponds. 
     
     
       10. A method according to claim 9, wherein each certificate is signed using a public-key signature algorithm. 
     
     
       11. A method according to claim 7, wherein the first router performs a function of certification authority with respect to the other routers and, to do that, generates a public key-secret key pair allowing it, by means of a signature algorithm, installed in its program memory, to obtain the certificate table to be loaded into the data storage means of the other routers. 
     
     
       12. A method according to claim 7, wherein each router includes, in its program memory, a signature verification algorithm and the public key, so as to verify the validity of the certificate for each incoming call. 
     
     
       13. A system comprising: a public network; and   a plurality of protected local networks, the plurality of protected local networks being connected to the public network, the plurality of protected local networks forming a closed subscriber group, the plurality of local networks including a first local network and a second local network,   the first local network including a first plurality of stations,   a first router, the first router connecting the first local network to the public network, the first router including a first security device which further includes a first memory, the first memory storing information specific to each of the first plurality of stations, and   a first processor, and       the second local network including a second plurality of stations,   a second router, the second router connecting the second local network to the public network, the second router including a second security device which further includes a second memory, the second memory storing information specific to each of the first plurality of stations,   a second processor, the second processor cooperating with the first processor to implement an authentication certificate exchange mechanism based on the information stored in the first and second memories, the authentication certificate exchange permitting a first station to be connected to a second station, the first station being one of said first plurality of stations of said first local network and the second station being one of the second plurality of stations of the second local network, and       wherein the first and second security devices provide network-level protection for the first and second protected local networks, the protection being against unauthorized stations which are not included in the closed subscriber group, the protection being network-level protection in that the first and second security devices respectively provide the protection to all of the stations in the first and second protected local networks, and   wherein an unauthorized station is unable to gain access to stations of the closed subscriber group because there is not a router which presents an acceptable certificate on behalf of the unauthorized station.   
     
     
       14. A system according to claim 13, wherein the first and second routers each comprise a certificate table, the certificate table containing certificates for substantially all of the stations which the first router connects to the public network, the certificates being based on information specific to each individual station. 
     
     
       15. A system according to claim 14, wherein each certificate of the table corresponds to a signed data item indicating a local network address, a public network address, and the type of station to which the certificate corresponds. 
     
     
       16. A system according to claim 15, wherein each certificate is signed using a public-key signature algorithm. 
     
     
       17. A method according to claim 13, wherein the first router performs a function of certification authority with respect to the other routers and, to do that, generates a public key-secret key pair allowing it, by means of a signature algorithm, installed in its program memory, to obtain the certificate table to be loaded into the data storage means of the other routers. 
     
     
       18. A method according to claim 13, wherein each router includes, in its program memory, a signature verification algorithm and the public key, so as to verify the validity of the certificate for each incoming call.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.